Analysis Overview
SHA256
2c3f52c917a9224b9a7d6fef20c30039fb5ed9de16ac584d386f280332d8ea6b
Threat Level: Known bad
The file 2c3f52c917a9224b9a7d6fef20c30039fb5ed9de16ac584d386f280332d8ea6b was found to be: Known bad.
Malicious Activity Summary
Amadey
Executes dropped EXE
Checks computer location settings
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-15 21:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 21:24
Reported
2024-06-15 21:26
Platform
win11-20240611-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Amadey
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\2c3f52c917a9224b9a7d6fef20c30039fb5ed9de16ac584d386f280332d8ea6b.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2c3f52c917a9224b9a7d6fef20c30039fb5ed9de16ac584d386f280332d8ea6b.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 244 wrote to memory of 1444 | N/A | C:\Users\Admin\AppData\Local\Temp\2c3f52c917a9224b9a7d6fef20c30039fb5ed9de16ac584d386f280332d8ea6b.exe | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe |
| PID 244 wrote to memory of 1444 | N/A | C:\Users\Admin\AppData\Local\Temp\2c3f52c917a9224b9a7d6fef20c30039fb5ed9de16ac584d386f280332d8ea6b.exe | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe |
| PID 244 wrote to memory of 1444 | N/A | C:\Users\Admin\AppData\Local\Temp\2c3f52c917a9224b9a7d6fef20c30039fb5ed9de16ac584d386f280332d8ea6b.exe | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2c3f52c917a9224b9a7d6fef20c30039fb5ed9de16ac584d386f280332d8ea6b.exe
"C:\Users\Admin\AppData\Local\Temp\2c3f52c917a9224b9a7d6fef20c30039fb5ed9de16ac584d386f280332d8ea6b.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 244 -ip 244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 244 -s 572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 244 -ip 244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 244 -s 812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 244 -ip 244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 244 -s 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 244 -ip 244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 244 -s 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 244 -ip 244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 244 -s 880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 244 -ip 244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 244 -s 952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 244 -ip 244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 244 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 244 -ip 244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 244 -s 948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 244 -ip 244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 244 -s 1136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 244 -ip 244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 244 -s 1572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 244 -ip 244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 244 -s 824
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 244 -ip 244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 244 -s 900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 244 -ip 244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 244 -s 1220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1444 -ip 1444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1444 -ip 1444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1444 -ip 1444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1444 -ip 1444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1444 -ip 1444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1444 -ip 1444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1444 -ip 1444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1444 -ip 1444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1444 -ip 1444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1444 -ip 1444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1444 -ip 1444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1444 -ip 1444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1444 -ip 1444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1444 -ip 1444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1444 -ip 1444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1444 -ip 1444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1468
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1484 -ip 1484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 480
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1284 -ip 1284
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1444 -ip 1444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 912
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | greendag.ru | udp |
| US | 8.8.8.8:53 | jkshb.su | udp |
| US | 8.8.8.8:53 | osdhs.in.ne | udp |
| KR | 123.140.161.243:80 | jkshb.su | tcp |
| KR | 123.140.161.243:80 | jkshb.su | tcp |
| KR | 123.140.161.243:80 | jkshb.su | tcp |
| NL | 52.111.243.30:443 | tcp |
Files
memory/244-2-0x00000000021B0000-0x000000000221B000-memory.dmp
memory/244-1-0x0000000000620000-0x0000000000720000-memory.dmp
memory/244-3-0x0000000000400000-0x0000000000470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
| MD5 | 893d50af13764eeedf3211c87bc435af |
| SHA1 | 6b38b84a31375b7bc6bb536569bbe8becb387c0c |
| SHA256 | 2c3f52c917a9224b9a7d6fef20c30039fb5ed9de16ac584d386f280332d8ea6b |
| SHA512 | 2cd3d7f1154bdd234b51466a443e5c6369edee0c65999e55c8934cbc70aa7a6d620f2478a45512806c356a00bfff3c72ff0db91b480e0f30817f185ac4008caf |
memory/244-19-0x00000000021B0000-0x000000000221B000-memory.dmp
memory/244-20-0x0000000000400000-0x0000000000470000-memory.dmp
memory/244-18-0x0000000000400000-0x0000000000481000-memory.dmp
memory/1444-22-0x0000000000400000-0x0000000000481000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\394516847340
| MD5 | 1d77185fb4771033a2a07b53a1ff497f |
| SHA1 | 1e4ed818fdac43c830296f4055a9c3b4ee577bc3 |
| SHA256 | e7cfc4da186c0e666989ad6f09f6355ca9c675f81d0c46c9432c18b5ba45f82a |
| SHA512 | 9cf7c887678b6d38e3af686444ca2776ad0f59c3a821e0a2ed3b6a1fb944f6c0f6478a9c01c2a544704120e7d6919997f8d4d59901fd658b4eee99e1f5778be1 |
memory/1444-38-0x0000000000400000-0x0000000000481000-memory.dmp
memory/1484-45-0x0000000000400000-0x0000000000481000-memory.dmp
memory/1484-44-0x0000000000400000-0x0000000000481000-memory.dmp
memory/1484-46-0x0000000000400000-0x0000000000481000-memory.dmp
memory/1484-47-0x0000000000400000-0x0000000000481000-memory.dmp
memory/1284-56-0x0000000000400000-0x0000000000481000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 21:24
Reported
2024-06-15 21:26
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
53s
Command Line
Signatures
Amadey
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2c3f52c917a9224b9a7d6fef20c30039fb5ed9de16ac584d386f280332d8ea6b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\2c3f52c917a9224b9a7d6fef20c30039fb5ed9de16ac584d386f280332d8ea6b.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2c3f52c917a9224b9a7d6fef20c30039fb5ed9de16ac584d386f280332d8ea6b.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3508 wrote to memory of 1272 | N/A | C:\Users\Admin\AppData\Local\Temp\2c3f52c917a9224b9a7d6fef20c30039fb5ed9de16ac584d386f280332d8ea6b.exe | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe |
| PID 3508 wrote to memory of 1272 | N/A | C:\Users\Admin\AppData\Local\Temp\2c3f52c917a9224b9a7d6fef20c30039fb5ed9de16ac584d386f280332d8ea6b.exe | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe |
| PID 3508 wrote to memory of 1272 | N/A | C:\Users\Admin\AppData\Local\Temp\2c3f52c917a9224b9a7d6fef20c30039fb5ed9de16ac584d386f280332d8ea6b.exe | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2c3f52c917a9224b9a7d6fef20c30039fb5ed9de16ac584d386f280332d8ea6b.exe
"C:\Users\Admin\AppData\Local\Temp\2c3f52c917a9224b9a7d6fef20c30039fb5ed9de16ac584d386f280332d8ea6b.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3508 -ip 3508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3508 -ip 3508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3508 -ip 3508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3508 -ip 3508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3508 -ip 3508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3508 -ip 3508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3508 -ip 3508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 1132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3508 -ip 3508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 1132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3508 -ip 3508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 1192
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3508 -ip 3508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 1284
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1272 -ip 1272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1272 -ip 1272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1272 -ip 1272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1272 -ip 1272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1272 -ip 1272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1272 -ip 1272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1272 -ip 1272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1272 -ip 1272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1272 -ip 1272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1272 -ip 1272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1272 -ip 1272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1272 -ip 1272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 1180
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1272 -ip 1272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 1404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1272 -ip 1272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 1520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1272 -ip 1272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 1380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1272 -ip 1272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 1548
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 332 -ip 332
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 332 -s 440
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4824 -ip 4824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1272 -ip 1272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 896
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | jkshb.su | udp |
| US | 8.8.8.8:53 | osdhs.in.ne | udp |
| US | 8.8.8.8:53 | greendag.ru | udp |
| US | 8.8.8.8:53 | jkshb.su | udp |
Files
memory/3508-1-0x0000000000680000-0x0000000000780000-memory.dmp
memory/3508-2-0x0000000000610000-0x000000000067B000-memory.dmp
memory/3508-3-0x0000000000400000-0x0000000000470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
| MD5 | 893d50af13764eeedf3211c87bc435af |
| SHA1 | 6b38b84a31375b7bc6bb536569bbe8becb387c0c |
| SHA256 | 2c3f52c917a9224b9a7d6fef20c30039fb5ed9de16ac584d386f280332d8ea6b |
| SHA512 | 2cd3d7f1154bdd234b51466a443e5c6369edee0c65999e55c8934cbc70aa7a6d620f2478a45512806c356a00bfff3c72ff0db91b480e0f30817f185ac4008caf |
memory/3508-18-0x0000000000400000-0x0000000000481000-memory.dmp
memory/3508-20-0x0000000000400000-0x0000000000470000-memory.dmp
memory/3508-19-0x0000000000610000-0x000000000067B000-memory.dmp
memory/1272-22-0x0000000000400000-0x0000000000481000-memory.dmp
memory/1272-27-0x0000000000400000-0x0000000000481000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\558294865367
| MD5 | 5f4bfda2cf19be450b01e39ca9c95eb5 |
| SHA1 | dd88009c50e8db485f309587d2a26126140fbab6 |
| SHA256 | 8b7c0319e88048d199e525b62c30f151f3e55ee3b4657aa6f670cac2f17f4463 |
| SHA512 | cb4daaea512dfc460e387b1b9785c7f83c148c208609bef0a2fe4ac09d56cdf62fdb334959a4e0bd86eabb4bd01d94e3952e5038e2bbb749977f9bc56f8c4438 |
memory/1272-39-0x0000000000400000-0x0000000000481000-memory.dmp
memory/332-44-0x0000000000400000-0x0000000000481000-memory.dmp
memory/332-45-0x0000000000400000-0x0000000000481000-memory.dmp
memory/332-46-0x0000000000400000-0x0000000000481000-memory.dmp
memory/4824-55-0x0000000000400000-0x0000000000481000-memory.dmp